FTC Bans Kochava From Selling Location Data — What the 10-Year Order Means

What the FTC did On May 15, 2026, the FTC issued a final 10-year order barring Kochava — one of the largest location data brokers in the US — from selling precise location data tied to sensitive locations without explicit consumer consent. The order requires Kochava to: Identify all sensitive locations in its database — health clinics, reproductive health centers, places of worship, domestic violence shelters, correctional facilities, labor union offices, and others Obtain affirmative express consent before selling location data associated with those locations Maintain a written sensitive location data program with quarterly accuracy assessments Certify compliance to the FTC annually This is the first time the FTC has used its Section 5 authority to specifically target sensitive location data sales. How we got here Kochava was collecting and selling location data from hundreds of millions of mobile devices. The data came from apps with location permissions — weather apps, games, shopping apps — that sold the data to Kochava through a chain of intermediaries. The FTC originally sued Kochava in 2022, alleging the company was selling data that could track people into: Reproductive health clinics (post-Dobbs, state-specific prosecution risk) Places of worship Domestic violence shelters Mental health facilities Addiction treatment centers Kochava moved to dismiss the case, arguing that the data was aggregated and anonymous. In 2023, a federal judge declined to dismiss, finding the FTC's allegations plausible. The parties negotiated a settlement that became the final order announced in May 2026. What the order actually covers The order is significant but narrow. Key limitations: Only sensitive locations are protected. Kochava can still sell location data for non-sensitive categories — stores, parks, restaurants, roads — without consent. Only Kochava is bound. The order does not apply to the hundreds of other data brokers in the US market. Explicit consent means a separate, specific opt-in. Buried terms of service disclosures do not count. The order lasts 10 years. After that, Kochava can resume the practices unless the FTC renews. The scale of the remaining problem The data broker industry in the US is estimated to include 4,000+ companies trading in personal data. The largest — Acxiom, Epsilon, LiveRamp, Oracle Data Cloud — operate with minimal federal oversight. Location data specifically is available from dozens of brokers, many of which aggregate data from the same ad exchange sources Kochava used. The FTC's action against Kochava is meaningful. It establishes a precedent that selling location data without consent is an unfair practice. But it is a single enforcement action against a single company in an industry with thousands of participants. What you can do Review location permissions on every app on your phone. Go to Settings > Privacy > Location Services and disable "Always" for any app that does not need it. Use a VPN to obscure your IP-based location from ad networks and data brokers. Opt out of data broker databases. Major brokers offer opt-out forms. The site Simple Opt Out maintains an updated directory. Check your ad ID. On Android, reset your advertising ID monthly. On iOS, enable "Limit Ad Tracking" or "Ask App Not to Track." One case will not fix the data broker industry. But it is the first case, and that matters.